Query Details

RULE 03 AD DC Sync Non DC Replication

Query

// =========================================================
// RULE-03 | AD-DCSync-NonDC-Replication
// Description : DCSync detection — Event 4662 showing
//               DS-Replication-Get-Changes-All (or -Get-Changes)
//               access rights exercised by a source that is NOT
//               a known Domain Controller computer account.
//               Covers Mimikatz lsadump::dcsync, secretsdump,
//               and impacket GetUserSPNs with -just-dc flag.
// Severity    : Critical (any non-DC DCSync)
// Frequency   : Every 15 minutes, look-back 15 minutes
// MITRE       : T1003.006 — DCSync
// Tables      : SecurityEvent
// NOT duplicated: Sentinel built-in "Rare DCSync Activity" fires
//               on volume; this rule fires on ANY non-DC source
//               using exact DS-Replication GUIDs.
// =========================================================

let LookBack = 15m;

// DS-Replication-Get-Changes-All GUID
let ReplicationAllGUID = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2";
// DS-Replication-Get-Changes GUID
let ReplicationGUID    = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2";

// Build dynamic DC list from this workspace (KDC-issuing machines)
let KnownDCNames = SecurityEvent
    | where TimeGenerated > ago(3d)
    | where EventID == 4768
    | summarize by DCName = toupper(Computer)
    | project DCName;

let KnownDCAccounts = SecurityEvent
    | where TimeGenerated > ago(3d)
    | where EventID == 4768
    | where TargetUserName endswith "$"
    | summarize by MachineAcct = toupper(TargetUserName);

SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID == 4662                           // Operation performed on AD object
| where ObjectType has "domainDNS"
| where AccessMask == "0x100"                     // Control Access
| where Properties has ReplicationAllGUID
    or Properties has ReplicationGUID
// Exclude actual Domain Controllers
| where not(toupper(SubjectUserName) endswith "$"
            and toupper(SubjectUserName) in~ (KnownDCAccounts))
| where not(toupper(Computer) in~ (KnownDCNames))
| extend
    ActorAccount      = strcat(SubjectDomainName, "\\", SubjectUserName),
    IsServiceAccount  = SubjectUserName endswith "$",
    ReplicationRight  = case(
        Properties has ReplicationAllGUID, "DS-Replication-Get-Changes-All (Full DCSync)",
        Properties has ReplicationGUID,    "DS-Replication-Get-Changes (Partial)",
        "Unknown Replication Right"
    )
| summarize
    DCsyncCount        = count(),
    TargetObjects      = make_set(ObjectName, 10),
    ReplicationRights  = make_set(ReplicationRight),
    EarliestEvent      = min(TimeGenerated),
    LatestEvent        = max(TimeGenerated)
    by ActorAccount, SubjectUserName, SubjectDomainName, Computer, IsServiceAccount
| extend
    Severity = "Critical",
    WhySuspicious = strcat(
        "DCSync_From_NonDC; ",
        iff(IsServiceAccount, "ServiceAccount_Source; ", "UserAccount_Source; "),
        ReplicationRights
    )
| project
    TimeGenerated    = LatestEvent,
    Severity,
    WhySuspicious,
    ActorAccount,
    Computer,
    DCsyncCount,
    ReplicationRights,
    TargetObjects,
    EarliestEvent,
    LatestEvent
| order by DCsyncCount desc

Explanation

This query is designed to detect suspicious DCSync activities in an Active Directory environment. Here's a simplified explanation of what it does:

  1. Purpose: The query identifies instances where a non-Domain Controller (non-DC) account attempts to perform DCSync operations, which are typically used to replicate directory data. This is a critical security concern because it can indicate unauthorized access or data exfiltration attempts.

  2. Key Components:

    • Lookback Period: The query examines events from the last 15 minutes.
    • Replication GUIDs: It looks for specific GUIDs associated with DCSync operations, namely "DS-Replication-Get-Changes-All" and "DS-Replication-Get-Changes".
    • Known Domain Controllers: It dynamically builds a list of known Domain Controller names and accounts from recent events to exclude legitimate DC activities.
  3. Detection Logic:

    • The query searches for Event ID 4662, which indicates operations performed on Active Directory objects.
    • It filters for events involving the "domainDNS" object type and a specific access mask indicating control access.
    • It excludes events initiated by known Domain Controllers.
    • It identifies the actor account performing the operation and checks if it's a service account.
  4. Output:

    • The query summarizes the findings by counting the number of suspicious DCSync attempts, listing the target objects, and noting the replication rights used.
    • It provides details such as the actor account, computer name, and timestamps of the earliest and latest events.
    • The results are marked with a "Critical" severity level and include a "WhySuspicious" field explaining the reason for suspicion.
  5. Ordering: The results are ordered by the number of DCSync attempts in descending order, highlighting the most frequent offenders.

Overall, this query is a security measure to detect and alert on potential unauthorized replication activities in an Active Directory environment, which could indicate a security breach.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

SecurityEvent

Keywords

SecurityEventDomainControllerComputerAccountUserReplicationRightEventObjectDomainNameActorServiceTimeGeneratedSeverity

Operators

letagotoupperendswithsummarizebyprojectwherehasornotin~extendstrcatcasemake_setminmaxifforder bydesc

MITRE Techniques

Actions

GitHub